Windows BitLocker Drive Encryption Step-by-Step Guide

Updated: April 30, 2007

Applies To: Windows Server 2008, Windows Vista

This step-by-step guide provides the instructions you need to use Windows® BitLocker™ Drive Encryption in a test environment. We recommend that you first use the steps provided in this guide in a test lab environment. Step-by-step guides are not necessarily meant to be used to deploy Windows Vista® operating system features without accompanying documentation (such as those listed in the Additional Resources section) and should be used with discretion as a stand-alone document.

What is BitLocker Drive Encryption?

BitLocker Drive Encryption is an integral new security feature in the Windows Vista operating system that provides considerable protection for the operating system on your computer and data stored on the operating system volume. BitLocker ensures that data stored on a computer running Windows Vista remains encrypted even if the computer is tampered with when the operating system is not running. This helps protect against "offline attacks," attacks made by disabling or circumventing the installed operating system, or made by physically removing the hard drive to attack the data separately.

BitLocker is designed to offer a seamless user experience. It is designed for systems that have a compatible TPM microchip and BIOS. A compatible TPM is defined as a version 1.2 TPM. A compatible BIOS must support the TPM and the Static Root of Trust Measurement as defined by the Trusted Computing Group. For more information about TPM specifications, visit the TPM Specifications section of the Trusted Computing Group's Web site (http://go.microsoft.com/fwlink/?LinkId=72757).

The TPM interacts with BitLocker to help provide seamless protection at system startup. This is transparent to the user, and the user logon experience is unchanged. However, if the TPM is missing or changed, or if the startup information has changed, BitLocker will enter recovery mode, and you will need a recovery password to regain access to the data.

Who should use BitLocker Drive Encryption?

This guide is intended for the following audiences:

IT planners and analysts who are evaluating the product

Security architects

In this guide

The purpose of this guide is to help administrators become familiar with the BitLocker Drive Encryption feature of Windows Vista. The sections below provide basic information and procedures that administrators need to start configuring and deploying BitLocker within their networks.

Scenario 1 provides instructions for creating the two partitions required for BitLocker Drive Encryption. Scenario 2 explains how to encrypt a drive using BitLocker and a TPM. Scenario 3 describes using the BitLocker advanced startup options. Scenario 4 describes how to access encrypted data after lockdown, and how to test BitLocker by generating a lockdown. Scenario 5 guides you through turning off BitLocker.

Note

The scenarios discussed in this guide pertain to using BitLocker Drive Encryption with operating system volumes. When the operating system volume is encrypted, BitLocker can also be used to encrypt fixed data volumes.

Requirements for BitLocker Drive Encryption

These steps are for testing only. This guide should not be the only resource you use to deploy Microsoft Windows Server® 2008 or Windows Vista features.

Hardware and software requirements

A computer that meets the minimum requirements for Windows Vista.

A TPM microchip, version 1.2, turned on. (Scenarios 2 and 3).

A Trusted Computing Group (TCG)-compliant BIOS (Scenarios 2 and 3).

Two NTFS drive partitions, one for the system volume and one for the operating system volume. The system volume partition must be at least 1.5 gigabytes (GB) and set as the active partition (Scenario 1).

A BIOS setting to start up first from the hard drive, not the USB or CD drives.

Note

For any test that includes the USB flash drive, your BIOS must support reading USB flash drives at startup.

We strongly recommend that you do not run a kernel debugger while BitLocker is enabled, because encryption keys and other sensitive data can be accessed with the debugger. However, you can enable kernel debugging before you enable BitLocker. If you enable kernel debugging after you have enabled BitLocker, the system will automatically start the recovery process every time you restart the computer. If you enable boot debugging (kernel debugging with the "-bootdebug" option), the system will automatically start the recovery process every time you restart the computer.

Scenario 1: Partitioning a Hard Disk for BitLocker Drive Encryption

For BitLocker to work, you must have at least two partitions on your hard disk. The first partition is the system volume and labeled S in this document. This volume contains the boot information in an unencrypted space. The second partition is the operating system volume and labeled C in this document. This volume is encrypted and contains the operating system and user data.

The partitions must be created before installing Windows Vista.

Note

In some situations, a volume can involve multiple partitions. This document discusses only simple volumes, where a volume and a partition are functionally equivalent. BitLocker works with volumes, a logical structure; but many disk tools are concerned with physical disk partitions.

Scenario 1 describes how to create the two partitions required for BitLocker. This procedure assumes that you have backed up any data on the disk.

Make sure that you have backed up any data and that you have your product key for Windows Vista.

Note

If you have already installed Windows Vista on a single partition, you can use the BitLocker Drive Preparation Tool to configure the volumes required for BitLocker. For more information, see http://support.microsoft.com/kb/930063.

Partition a disk with no operating system for BitLocker

In this procedure you start the computer from the product DVD and then enter a series of commands to do the following:

Create a new 1.5 GB primary partition.

Set this partition as active.

Create a second primary partition using the rest of the space on the disk.

Format both new partitions so they can be used as Windows volumes.

Install Windows Vista on the larger volume (drive C).

Note

You must create a second active partition for BitLocker to work properly.

Your drive letters might not correspond to those in this example. In this example, the operating system volume is labeled C, and the system volume is labeled S (for system volume). In this example, we also assume that the system has only one physical hard disk drive.

To partition a disk with no operating system for BitLocker

Start the computer from the Windows Vista product DVD.

In the initial Install Windows screen, choose your Installation language, Time and currency format, and Keyboard layout, and then click Next.

In the next Install Windows screen, click Repair your computer, located in the lower left of the screen.

In the System Recovery Options dialog box, make sure no operating system is selected. To do this, click in the empty area of the Operating System list, below any listed entries. Then click Next.

In the next System Recovery Options dialog box, click Command Prompt.

Use Diskpart to create the partition for the operating system volume. At the command prompt, type diskpart, and then press ENTER.

Type select disk 0.

Type clean to erase the existing partition table.

Type create partition primary size=1500 to set the partition you are creating as a primary partition.

Type assign letter=S to give this partition the S designator.

Type active to set the new partition as the active partition.

Type create partition primary to create another primary partition. You will install Windows on this larger partition.

Type assign letter=C to give this partition the C designator.

Type list volume to see a display of all the volumes on this disk. You will see a listing of each volume, volume numbers, letters, labels, file systems, types, sizes, status, and information. Check that you have two volumes and that you know the label used for each volume.

Type exit to leave the diskpart application.

Type format c: /y /q /fs:NTFS to properly format the C volume.

Type format s: /y /q /fs:NTFS to properly format the S volume.

Type exit to leave the command prompt.

In the System Recovery Options window, use the close window icon in the upper right (or press ALT+F4) to close the window to return to the main installation screen. (Do not click Shut Down or Restart.)

Click Install now and proceed with the Windows Vista installation process. Install Windows Vista on the larger volume, C: (the operating system volume).

Scenario 2: Turning on BitLocker Drive Encryption

Scenario 2 outlines the procedures for turning on BitLocker Drive Encryption protection on a system with a TPM. After the volume is encrypted, the user logs onto the computer normally.

To turn on BitLocker Drive Encryption

If the User Account Control message appears, verify that the proposed action is what you requested, and then click Continue. For more information, see Additional Resources later in this document.

On the BitLocker Drive Encryption page, click Turn On BitLocker on the operating system volume.

If your TPM is not initialized, you will see the Initialize TPM Security Hardware wizard. Follow the directions to initialize the TPM and restart your computer.

On the Save the recovery password page, you will see the following options:

Save the password on a USB drive. Saves the password to a USB flash drive.

Save the password in a folder. Saves the password to a network drive or other location.

Print the password. Prints the password.

Use one or more of these options to preserve the recovery password. For each option, select the option and follow the wizard steps to set the location for saving or printing the recovery password.

When you have finished saving the recovery password, click Next.

Important

The recovery password will be required in the event the encrypted drive must be moved to another computer, or changes are made to the system startup information. This password is so important that it is recommended that you make additional copies of the password stored in safe places to assure you access to your data. You will need your recovery password to unlock the encrypted data on the volume if BitLocker enters a locked state (see Scenario 4: Recovering Data Protected by BitLocker Drive Encryption). This recovery password is unique to this particular BitLocker encryption. You cannot use it to recover encrypted data from any other BitLocker encryption session.

Important

Store recovery passwords apart from the computer for maximum security.

On the Encrypt the selected disk volume page, confirm that the Run BitLocker System Check check box is selected, and then click Continue.

Confirm that you want to restart the computer by clicking Restart Now. The computer restarts and BitLocker verifies if the computer is BitLocker-compatible and ready for encryption. If it is not, you will see an error message alerting you to the problem.

If it is ready for encryption, the Encryption in Progress status bar is displayed. You can monitor the ongoing completion status of the disk volume encryption by dragging your mouse cursor over the BitLocker Drive Encryption icon in the tool bar at the bottom of your screen. .

By completing this procedure, you have encrypted the operating system volume and created a recovery password unique to this volume. The next time you log on, you will see no change. If the TPM ever changes or cannot be accessed, if there are changes to key system files, or if someone tries to start the computer from a disk to circumvent the operating system, the computer will switch to recovery mode until the recovery password is supplied.

Scenario 3 provides the procedures to change your computer's Group Policy settings so that you can enable BitLocker Drive Encryption without a TPM, or enable one of the BitLocker advanced startup options: using a TPM with a PIN or using a TPM with a startup key.

For a non-TPM scenario, you use a startup key to authenticate yourself. The startup key is located on a USB flash drive inserted into the computer before the computer is turned on. In such a scenario, your computer must have a BIOS that can read USB flash drives in the pre-operating system environment (at startup). Your BIOS can be checked by the hardware test near the end of the BitLocker setup wizard.

In a scenario that uses a TPM with an advanced startup option, you can add a second factor of authentication to the standard TPM protection: a PIN, "something you know," or a startup key on a USB flash drive, "something you have." To use a USB flash drive with a TPM, the computer must have a BIOS that can read USB flash drives in the pre-operating system environment (at startup). Your BIOS can be checked by the hardware test near the end of the BitLocker setup wizard.

Before you start

You must be logged on as an administrator.

You must have a USB flash drive to save the recovery password.

We recommend a second USB flash drive to store the startup key separate from the recovery password.

To turn on BitLocker Drive Encryption on a computer without a compatible TPM

Click Start, type gpedit.msc in the Start Search box, and then press ENTER.

If the User Account Control dialog box appears, verify that the proposed action is what you requested, and then click Continue. For more information, see Additional Resources later in this document.

If the User Account Control message appears, verify that the proposed action is what you requested, and then click Continue. For more information, see Additional Resources later in this document.

On the BitLocker Drive Encryption page, click Turn On BitLocker on the operating system volume.

On the Set BitLocker Startup Preferences page, select the Require Startup USB Key at every startup option. This is the only option available for non-TPM configurations. This key must be inserted each time before you start the computer.

Insert your USB flash drive in the computer, if it is not already there.

On the Save your Startup Key page, choose the location of your USB flash drive, and then click Save.

On the Save the recovery password page, you will see the following options:

Save the password on a USB drive. Saves the password to a USB flash drive.

Save the password in a folder. Saves the password to a network drive or other location.

Print the password. Prints the password.

Use one or more of these options to preserve the recovery password. For each option, select the option and follow the wizard steps to set the location for saving or printing the recovery password.

When you have finished saving the recovery password, click Next.

Important

The recovery password will be required in the event the encrypted drive must be moved to another computer, or changes are made to the system startup information. This password is so important that it is recommended that you make additional copies of the password stored in safe places to assure you access to your data. You will need your recovery password to unlock the encrypted data on the volume if BitLocker enters a locked state (see Scenario 4: Recovering Data Protected by BitLocker Drive Encryption). This recovery password is unique to this particular BitLocker encryption. You cannot use it to recover encrypted data from any other BitLocker encryption session.

Important

Store recovery passwords apart from the computer for maximum security.

On the Encrypt the selected disk volume page, confirm that the Run BitLocker System Check check box is selected, and then click Continue.

Confirm that you want to restart the computer by clicking Restart Now. The computer restarts and BitLocker ensures that the computer is BitLocker-compatible and ready for encryption. If it is not, you will see an error message alerting you to the problem before encryption starts.

If it is ready for encryption, the Encryption in Progress status bar is displayed. You can monitor the ongoing completion status of the disk volume encryption by dragging your mouse cursor over the BitLocker Drive Encryption icon in the tool bar at the bottom of your screen or clicking on the Encryption balloon.

By completing this procedure, you have encrypted the operating system volume and created a recovery password unique to that volume. The next time you turn your computer on, the USB flash drive must be plugged into a USB port on the computer. If it is not, you will not be able to access data on your encrypted volume. Store the startup key away from the computer to increase security.

If you do not have the USB flash drive containing your startup key, then to access the data, you will need to use recovery mode and supply the recovery password.

To turn on BitLocker Drive Encryption with a TPM plus a PIN or with a TPM plus a startup key on a USB flash drive

Click Start, type gpedit.msc in the Start Search box, and then press ENTER.

If the User Account Control dialog box appears, verify that the proposed action is what you requested, and then click Continue. For more information, see Additional Resources later in this document.

Select the Enabled option. For TPM plus a PIN or startup key configurations, you do not need to change any further settings, but you can choose to require or disallow users to create a startup key or PIN. Click OK.

Click Start, type gpupdate.exe /force in the Search box, and then press ENTER.Wait for the process to finish.

If the User Account Control message appears, verify that the proposed action is what you requested, and then click Continue. For more information, see Additional Resources later in this document.

On the BitLocker Drive Encryption page, click Turn On BitLocker on the system volume.

On the Set BitLocker startup preferences page, select the startup option you want. You can choose only one of these options:

No additional security.

Require PIN at every startup. You will see the Set the startup PIN page. Enter your PIN, confirm it, and then click Set PIN.

Require Startup USB key at every startup. You will see the Save your Startup Key page. Insert your USB flash drive, choose the drive location, and then click Save.

Note

Assistive technology software that runs on Windows, such as screen reading software, cannot read BitLocker startup screens because they are shown when the boot manager is running. The boot manager is code that runs before Windows is running. This includes screens shown when you type a PIN or recovery password, and any BitLocker error messages.

On the Save the recovery password page, you will see the following options:

Save the password on a USB drive. Saves the password to a USB flash drive.

Save the password in a folder. Saves the password to a network drive or other location.

Print the password. Prints the password.

Important

The recovery password will be required in the event the encrypted drive must be moved to another computer, or changes are made to the system startup information. This password is so important that it is recommended that you make additional copies of the password stored in safe places to assure you access to your data. You will need your recovery password to unlock the encrypted data on the volume if BitLocker Drive Encryption enters a locked state (see Scenario 4: Recovering Data Protected by BitLocker Drive Encryption). This recovery password is unique to this particular BitLocker encryption. You cannot use it to recover encrypted data from any other BitLocker encryption session.

Choose any of these options to preserve the recovery password. Store recovery passwords apart from the computer for maximum security. To choose more than one recovery password storage method, select one, follow the wizard to determine the location for saving or printing, and then click Next. You can then repeat this step to choose additional recovery password storage methods.

On the Encrypt the selected disk volume page, confirm that the Run BitLocker System Check check box is selected, and then click Continue.

Confirm that you want to restart the computer by clicking Restart Now. The computer restarts and BitLocker ensures that the computer is BitLocker-compatible and ready for encryption. If it is not, you will see an error message alerting you to the problem before encryption starts.

If it is ready for encryption, the Encryption in Progress status bar is displayed. You can monitor the ongoing completion status of the disk volume encryption by dragging your mouse cursor over the BitLocker Drive Encryption icon in the tool bar at the bottom of your screen or clicking on the Encryption balloon.

By completing this procedure, you have encrypted the operating system volume and created a recovery password unique to that volume. The next time you turn your computer on, the USB flash drive must be plugged into a USB port on the computer or you must enter your PIN. If you do not, you will not be able to access data on your encrypted volume. Store the startup key away from the computer to increase security. Without the startup key, or your PIN, you will need to go to recovery mode and supply the recovery password to access your data.

Scenario 4: Recovering Data Protected by BitLocker Drive Encryption

Scenario 4 describes the process for recovering your data after BitLocker has entered recovery mode. BitLocker locks the computer when a disk encryption key is not available. The following is a list of likely causes:

An error related to TPM occurs.

One of the early boot files is modified.

The TPM is inadvertently turned off and the computer is turned off.

The TPM is inadvertently cleared and the computer is turned off.

When a computer is locked, the startup process is interrupted very early, before the operating system starts. You must use the recovery password from a USB flash drive, or use the function keys to enter the recovery password. F1 through F9 represent the digits 1 through 9, and F10 represents 0.

Because recovery happens so early in the startup process, the accessibility features of Windows are not available. If you require accessibility features, consider what you will do in the event of recovery.

To test data recovery

Type tpm.msc in the Open box, and then click OK. The TPM Management Console is displayed.

Under Actions, click Turn TPM Off.

Provide the TPM owner password, if required.

When the Status panel in the TPM Management on Local Computer task panel reads "Your TPM is off and ownership of the TPM has been taken," close that task panel.

Close all open windows.

If the USB flash drive that contains your recovery password is plugged into the system, use the Safely Remove Hardware icon in the notification area to remove it from the system.

Click the Start button, and then click the Shutdown button to turn off your computer.

When you restart the computer, you will be prompted for the recovery password, because the startup configuration has changed since you encrypted the volume.

To recover access to data using BitLocker Drive Encryption

Turn on your computer.

If the computer is locked, the BitLocker Drive Encryption Recovery Console will appear.

You will be prompted to insert the USB flash drive that contains the recovery password.

If you have the USB flash drive with the recovery password, insert it, and then press ESC. Your computer will restart automatically. You do not need to enter the recovery password manually.

If you do not have the USB flash drive with the recovery password, press ENTER.

You will be prompted to enter the recovery password.

If you know the recovery password, type it and then press ENTER.

If you do not know the recovery password, press ENTER twice and turn off your computer.

Note

If you saved your recovery password in a file in a folder away from this computer, or on removable media, you can use another computer to open the file that contains the password. To locate the correct file, find Password ID on the recovery console display on the locked computer, and record this number. The file containing the recovery key uses this Password ID as the file name. Open the file and locate the recovery password in the file.

Scenario 5: Turning off BitLocker Drive Encryption

Scenario 5 describes how to turn off BitLocker Drive Encryption and decrypt the volume. The procedure is the same for all BitLocker Drive Encryption configurations on TPM-equipped computers and computers without a compatible TPM.

When you turn off BitLocker, you can choose to either disable BitLocker temporarily, or to decrypt the drive. Disabling BitLocker allows TPM changes and operating system upgrades. Decrypting the drive means that the volume will once again be readable, and that all the keys are discarded. Once a volume is decrypted, you must generate new keys by going through the encryption process again.

Before you start

To turn off BitLocker Drive Encryption

From the BitLocker Drive Encryption page, find the volume on which you want BitLocker Drive Encryption turned off, and click Turn Off BitLocker Drive Encryption.

From the What level of decryption do you want dialog box, click either Disable BitLocker Drive Encryption or Decrypt the volume as needed.

By completing this procedure, you have either disabled BitLocker or decrypted the operating system volume.

Additional Resources

The following resources provide additional information about BitLocker Drive Encryption:

For help with BitLocker Drive Encryption, as with any Microsoft Windows component, please choose one of the support options listed on the Microsoft Help and Support Web site (http://go.microsoft.com/fwlink/?LinkId=76619).